Edit report at https://bugs.php.net/bug.php?id=64720&edit=1

 ID:                 64720
 Updated by:         dmi...@php.net
 Reported by:        d dot ananyev at gmail dot com
 Summary:            SegFault on zend_deactivate
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   CentOS release 6.4 (Final)
 PHP Version:        5.4.10
 Assigned To:        dmitry
 Block user comment: N
 Private report:     N

 New Comment:

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:

Thank you for the report, and for helping us make PHP better.

Previous Comments:
[2013-05-21 06:35:24] dmi...@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:

Thank you for the report, and for helping us make PHP better.

[2013-05-21 06:34:09] dmi...@php.net

Automatic comment on behalf of dmi...@zend.com
Log: Fixed bug #64720 (SegFault on zend_deactivate)

[2013-05-21 05:09:53] dmi...@php.net

Script to Reproduce
class Stat {
    private static $requests;
    public static function getInstance() {
        if (!isset(self::$requests[1])) {
            self::$requests[1] = new self();
        return self::$requests[1];
    public function __destruct() {

class Foo {
    public function __construct() {

class Error {
    private $trace;
    public function __construct() {
        $this->trace = debug_backtrace(1);

class Bar {
    public function __destruct() {
        new Error();

    public function test() {
        new Error();

$foo = new Foo();
$bar = new Bar();

The crash occurs because PHP tries to access static properties of class "Stat" 
after they are destroyed.

==22607== Invalid read of size 4
==22607==    at 0x84EA438: _zval_dtor_func (zend_variables.c:46)
==22607==    by 0x84DAA42: _zval_dtor (zend_variables.h:35)
==22607==    by 0x84DAAEF: i_zval_ptr_dtor (zend_execute.h:81)
==22607==    by 0x84DB851: _zval_ptr_dtor (zend_execute_API.c:428)
==22607==    by 0x84E032A: cleanup_user_class_data (zend_opcode.c:169)
==22607==    by 0x84E0419: zend_cleanup_user_class_data (zend_opcode.c:202)
==22607==    by 0x84FC771: zend_hash_reverse_apply (zend_hash.c:799)
==22607==    by 0x84DB4BE: shutdown_executor (zend_execute_API.c:289)
==22607==    by 0x84EC528: zend_deactivate (zend.c:939)
==22607==    by 0x84744D6: php_request_shutdown (main.c:1800)
==22607==    by 0x8585386: do_cli (php_cli.c:1176)
==22607==    by 0x8585B2F: main (php_cli.c:1377)
==22607==  Address 0x4949fa8 is 0 bytes inside a block of size 20 free'd
==22607==    at 0x4007F0F: free (vg_replace_malloc.c:446)
==22607==    by 0x84BFEA5: _efree (zend_alloc.c:2437)
==22607==    by 0x851CDEB: i_zval_ptr_dtor (zend_execute.h:82)
==22607==    by 0x8521499: execute_ex (zend_vm_execute.h:356)
==22607==    by 0x85214FD: zend_execute (zend_vm_execute.h:381)
==22607==    by 0x84DD3D5: zend_call_function (zend_execute_API.c:941)
==22607==    by 0x85080A9: zend_call_method (zend_interfaces.c:97)
==22607==    by 0x8515232: zend_objects_destroy_object (zend_objects.c:123)
==22607==    by 0x851B546: zend_objects_store_del_ref_by_handle_ex 
==22607==    by 0x851B426: zend_objects_store_del_ref (zend_objects_API.c:173)
==22607==    by 0x84EA474: _zval_dtor_func (zend_variables.c:54)

[2013-04-29 09:14:46] d dot ananyev at gmail dot com

It's not opcache related

[2013-04-29 09:01:31] d dot ananyev at gmail dot com

We've got the same segfault trace without any opcode cache.

Core was generated by `php-fpm: pool www                                        
Program terminated with signal 11, Segmentation fault.
#0  _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
2100            if (ZEND_MM_IS_FREE_BLOCK(next_block)) {
Missing separate debuginfos, use: debuginfo-install fftw-3.2.1-3.1.el6.x86_64 
lcms-libs-1.19-1.el6.x86_64 libc-client-2007e-11.el6.x86_64 libidn-1.18-
2.el6.x86_64 libmcrypt-2.5.8-9.el6.x86_64 librabbitmq-0.2-
0.1.git2059570.el6.remi.x86_64 libtool-ltdl-2.2.6-15.5.el6.x86_64 xz-libs-
(gdb) bt
#0  _zend_mm_free_int (heap=0x1177330, p=0x17926c0) at /usr/build/php-
#1  0x00000000007116d7 in _zval_dtor (zval_ptr=0x16beb60) at /usr/build/php-
#2  _zval_ptr_dtor (zval_ptr=0x16beb60) at /usr/build/php-5.4.10/php-
#3  0x00000000007163af in cleanup_user_class_data (pce=<value optimized out>) 
#4  zend_cleanup_user_class_data (pce=<value optimized out>) at /usr/build/php-
#5  0x000000000072b944 in zend_hash_reverse_apply (ht=0x1177c90, 
apply_func=0x716340 <zend_cleanup_user_class_data>) at /usr/build/php-
#6  0x0000000000714156 in shutdown_executor () at /usr/build/php-5.4.10/php-
#7  0x000000000071f412 in zend_deactivate () at /usr/build/php-5.4.10/php-
#8  0x00000000006c2a3c in php_request_shutdown (dummy=<value optimized out>) at 
#9  0x00000000007d0d49 in main (argc=<value optimized out>, argv=<value 
optimized out>) at /usr/build/php-5.4.10/php-5.4.10/sapi/fpm/fpm/fpm_main.c:1948


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at


Edit this bug report at https://bugs.php.net/bug.php?id=64720&edit=1

Reply via email to